The 2014 Privy Nominations — “Privacy Hypocrite of the Year”

I’m pleased to post nominations in the hotly contested first category of Dubious Achievements in Privacy Law. Take your time to make a choice. Voting will not open until all nominations have been published — likely December 15.

Corrections and suggestions for additional nominees may be sent to vc.comments@gmail.com. But for those who think a particular nomination is unfair, the best remedy is to vote for a nominee who deserves the award and encourage others to do the same.

Commissioner Reding has led the charge to impose European restrictions on the way the National Security Agency gathers intelligence. When asked by the Guardian why the European Commission didn’t start by imposing restrictions on the way European Union members like Great Britain gather intelligence, she said

[T]here was little she or Brussels could do …, since secret services in the EU were the strict remit of national governments. The commission has demanded but failed to obtain detailed information from the British government on how UK surveillance practices are affecting other EU citizens…. “I have direct competence in law enforcement but not in secret services. That remains with the member states. In general, secret services are national,” said the commissioner.

Unless those secret services are American, apparently.

b. Francois Hollande, President of France

Spying on Allies is “Totally Unacceptable” Except When We Do It

President Hollande called President Obama to describe U.S. spying on its allies as “totally unacceptable,” language that was repeated by the Foreign Ministry when it castigated the U.S. ambassador over a story in Le Monde claiming that NSA had scooped up 70 million communications in France in a single month.

No, make that a double helping of Whoops. Because a week later, the Wall Street Journal revealed that it was the French government, not the NSA, that had collected the data: “Millions of phone records at the center of a firestorm in Europe over spying by the National Security Agency were secretly supplied to the U.S. by European intelligence services—not collected by the NSA, upending a furor that cast a pall over trans-Atlantic relations.

c. James Sensenbrenner, U.S. House of Representatives

You Hid Information From Me By Disclosing It at Briefings I Refused to Attend

Rep. Sensenbrenner (R-WI) was chairman of the House Judiciary Committee when section 215 of the USA PATRIOT Act was first enacted, but in 2013 he repudiated the telephone metadata that had been built on section 215.

And it turns out that spying on allies is a good deal more acceptable when Berlin is doing the spying. According to Der Spiegel, in 2008,

[T]he BND, Germany’s foreign intelligence service, inadvertently sent American officials a list of 300 phone numbers belonging to US citizens and residents — raising suspicions that the numbers had been tapped. A former deputy secretary of homeland security under President George W. Bush also described French and German intelligence agencies as “good” at spying on American officials. And US National Intelligence Director James Clapper on Tuesday testified before Congress that European allies are guilty of the same kind of spying that the US does.

e. Secretary Kathleen Sebelius

Harsh Privacy Penalties for Thee, But Not For Me

Secretary Sebelius’s Department of Health and Human Services imposed harsh penalties on companies handling health data during 2012. Even when there was no evidence that any data had been compromised, her department extracted millions of dollars in fines from companies that failed to perform adequate planning and testing for the security of their networks. Wellpoint, which among other things “did not perform an adequate technical evaluation in response to a software upgrade,” paid $1.7 million in fines. Idaho State, which “did not conduct an analysis of the risk to the confidentiality of [health data] as part of its security management process,” paid $400,000.

But those were the rules for others, not for HHS itself. Charged with implementing a website, healthcare.gov, that will carry sensitive health data for millions of Americans, HHS ignored the rules it imposed on the private sector. According to David Kennedy of TrustedSec, “even basic security was not built into the healthcare.gov website. TrustedSec is confident based on the exposures identified that the website has critical risks associated with it and security concerns should be remediated immediately.” Morgan Wright of Crowd Sourced Investigations pointed to failings that Wellpoint and Idaho State will have no difficulty recognizing: “The first major issue is the lack of, and inability to conduct, an end‐to-end security test on the production system. The number of contractors and absence of an apparent overall security lead indicates no one was in possession of a comprehensive, top-down view of the full security posture.”